IETF Logo Mail Archive

Re: new version trusted-proxy20 draft

Salvatore Loreto <salvatore.loreto@ericsson.com> Mon, 24 February 2014 10:35 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 697731A0291 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Feb 2014 02:35:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.449
X-Spam-Level:
X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_qkH7tdz0zx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Feb 2014 02:35:21 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id E2EFA1A002B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 24 Feb 2014 02:35:20 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WHsrR-0004Al-48 for ietf-http-wg-dist@listhub.w3.org; Mon, 24 Feb 2014 10:34:09 +0000
Resent-Date: Mon, 24 Feb 2014 10:34:09 +0000
Resent-Message-Id: <E1WHsrR-0004Al-48@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <salvatore.loreto@ericsson.com>) id 1WHsrG-000495-5J for ietf-http-wg@listhub.w3.org; Mon, 24 Feb 2014 10:33:58 +0000
Received: from mailgw1.ericsson.se ([193.180.251.45]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <salvatore.loreto@ericsson.com>) id 1WHsrE-00060z-4i for ietf-http-wg@w3.org; Mon, 24 Feb 2014 10:33:58 +0000
X-AuditID: c1b4fb2d-b7f5d8e000002a7b-3f-530b1ffd3626
Received: from ESESSHC003.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id DD.59.10875.DFF1B035; Mon, 24 Feb 2014 11:33:33 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.128]) by ESESSHC003.ericsson.se ([153.88.183.27]) with mapi id 14.02.0387.000; Mon, 24 Feb 2014 11:33:33 +0100
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: new version trusted-proxy20 draft
Thread-Index: AQHPKbZvMgDBE/GT0EeSmbMJUq1iH5rEGaKAgAAZ5wA=
Date: Mon, 24 Feb 2014 10:33:32 +0000
Message-ID: <C909469D-00D5-4D84-9003-F9E4FE18EACF@ericsson.com>
References: <20140214184207.27936.53657.idtracker@ietfa.amsl.com> <449272CA-71CB-4D7D-B431-A42140346B27@ericsson.com> <20140224090049.GA9816@LK-Perkele-VII>
In-Reply-To: <20140224090049.GA9816@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.150]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <C9985C5C95B7CF4E85AD22691B971F9A@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMLMWRmVeSWpSXmKPExsUyM+Jvje5fee5gg4UX9CwOt8xisli5Zg+z A5PHyrO1Hkfn7WcNYIrisklJzcksSy3St0vgyrg6s5ep4DJfRc+NQ0wNjM+4uxg5OSQETCTW vrjDAmGLSVy4t56ti5GLQ0jgEKNE3+9fTBDOEkaJ2VOOMYNUsQmYSTx/uAXMFhEwlFi15yUb iM0soCNxsuUP2CRhAT2Jf8+WskDU6Eu8b7nK2MXIAWRbSTw8VgMSZhFQlXjTegSslVfAXuL3 6iOMILaQwAJGiacfMkBsTgFjieObL7KC2IxAx30/tYYJYpW4xK0n85kgjhaQWLLnPDOELSrx 8vE/VghbSWLF9kuMEPUGEu/PzWeGsK0ltm1azQ5ha0ssW/iaGeIGQYmTM5+wTGAUn4VkxSwk 7bOQtM9C0j4LSfsCRtZVjOy5iZk56eWGmxiBEXVwy2/dHYynzokcYpTmYFES5/3w1jlISCA9 sSQ1OzW1ILUovqg0J7X4ECMTB6dUAyOnj9A3tdZy1j+hyktzHS0uz7tgpVMmlu1d/9YvaGK+ 56prlyQu3Fpndq5EcuL2U7OP5X3j9GVysN6Xw/cw2PzZnkUTHAu3GNmauycfv3P4bM96g5ks jPd1HkYptiZHOZy4tP6CxW/tDzX6ym4HvvxL0X28YU+kdtjkTPP2f4K6qfnzvyjev6TEUpyR aKjFXFScCABQBwYjdgIAAA==
Received-SPF: pass client-ip=193.180.251.45; envelope-from=salvatore.loreto@ericsson.com; helo=mailgw1.ericsson.se
X-W3C-Hub-Spam-Status: No, score=-5.2
X-W3C-Hub-Spam-Report: AWL=-0.952, BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1WHsrE-00060z-4i bf30aafcfa220d39989fac1d723f7f6f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: new version trusted-proxy20 draft
Archived-At: <http://www.w3.org/mid/C909469D-00D5-4D84-9003-F9E4FE18EACF@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22367
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Ilari

thanks a lot for your comments see my answers in line


On Feb 24, 2014, at 11:00 AM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:

> On Fri, Feb 14, 2014 at 06:56:14PM +0000, Salvatore Loreto wrote:
>> 
>> URL:            http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt
> 
> Some comments:
> 
> 1) As others have said, unnecressarily admitting to possible attackers
> that connections aren't really protected is not a good idea.
> 
> 2) The downgrade to HTTP/1.1 for proxy setup looks really odd, and
> should be over TLS too.

thanks to all the mail discussions, more thoughts and other chats on the issue
I tend to agree that the captive proxy (i.e. section 3.2) solution with the downgrade to http/1.1 is not a 
so great proposal… 

especially compared to the trusted proxy one
http://tools.ietf.org/html/draft-loreto-httpbis-trusted-proxy20-01#section-3.1

> 
> 3) Leaving manual configuration aside, there is certain merit to the
> idea that network is able to force a proxy. OTOH, the arising security
> issues aren't trivial (understatement).

security issues are never trivial

> 
> 4) One idea would be h2p / h2pxy / h2proxy protocol, which would be
> HTTP/2 with some extensions for proxy operation, like additional
> response codes, proxy being able to respond for itself, browser being
> able to send request to proxy, proxy relaying certificate info, etc...
> 
> 5) Regarding to usescases, protocol conforming to principle of
> least priviledge and accomodiating all or even most of those (goes
> up to "Tom's Rural broadband" right now) would likely be hideously
> complicated mess of crypto.
> 
> 6) Because of the last, one is pretty much limited to no trust (CONNECT)
> or full trust (GET/POST/PUT).
> 
> 
> -Ilari

v2.23.0 | Report a Bug | By Email